SoylentNews is people
SoylentNews
The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 4, Interesting) by The Mighty Buzzard on Friday August 19 2016, @08:12PM
For two-factor authentication? No. It's a foolish and annoying game that can very easily leave you locked out of something you badly need to get into right freaking now. Memorize a line containing 30+ characters from a favorite song, movie, book, Trump speech and use it as your password. You'll remember it longer than your current password and it's a hell of a lot more secure.
My rights don't end where your fear begins.
(Score: 2) by NotSanguine on Friday August 19 2016, @08:24PM
Memorize a line containing 30+ characters from a favorite song, movie, book, Trump speech and use it as your password. You'll remember it longer than your current password and it's a hell of a lot more secure.
Better yet, memorize a *slightly modified* version of the above. For example:
"It was twenty hours ago today, Sergeant Porpoise taught the band to play"
Easy to remember, and just about impossible for a dictionary attack to break.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by The Mighty Buzzard on Friday August 19 2016, @08:37PM
I'd agree but any system that allows for unlimited, non-throttled password attempts (necessary for a dictionary attack) probably stores your shat plaintext anyway. Us, we're uber secure. We salt AND rot-26 users' passwords before storing them.
My rights don't end where your fear begins.
(Score: 2) by NotSanguine on Friday August 19 2016, @08:40PM
Ginsberg's Theorem at work, eh? [wikipedia.org]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Gaaark on Friday August 19 2016, @08:48PM
I've gone with the XKCD method of picking 4 or more random words, then with each site i visit, i tack on an identifier.
My passwords are now at minimum 18ish characters. Add on the site identifier, and it explodes to another 8ish characters: so, usually a minimum of 26ish characters.
I should probably go with a completely random pass for websites and let my desktop 'password keeper' thing memorize it, but i'm not used to having my desktop properly backed up until the last couple years, so am not in the habit.
Now all i gotta do is have an externally sited desktop backup :(
If i change my password every once in a while, it is easy to remember and change: just have to remember what my site identifier is and where i put it, lol.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by hemocyanin on Friday August 19 2016, @09:06PM
Have you tried diceware? Similar system but truly random:
http://world.std.com/~reinhold/diceware.html [std.com]
(Score: 2) by Gaaark on Saturday August 20 2016, @12:52AM
I just choose 4-5ish words that have no connection with each other, but that seem to be easy for me to remember.
If i had to rely on dice/random, i might not be able to remember it (i'd probably have a better chance of remembering the dice roll result, lol... numbers seem to be no problem for me: combination locks/door pin numbers/debit card numbers... it all just stays in the head for some reason).
I just choose a bunch of words and find the ones that fit into my brain easily, i guess.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by art guerrilla on Friday August 19 2016, @11:44PM
not sure to admit to this:
but for 'non-secure', optional sites, i use a system of prefix(website)suffix...
where the prefix and suffix are the same for all the sites, and the site name (or nickname, or abbrev, etc) is the distinguishing feature...
um, i don't think i should give any examples...
(Score: 2) by Gaaark on Saturday August 20 2016, @12:48AM
EXAMPLE:
biggusdickusmontypython.comclipclop
Is this what you mean? :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Funny) by Anonymous Coward on Saturday August 20 2016, @01:22AM
I've gone with the XKCD method too. I use correct horse battery staple everywhere.
(Score: 2) by tibman on Friday August 19 2016, @08:55PM
Really looking for advice on a better two-factor. I'm already convinced it's a good thing. Currently use it on nearly everything (that has it) and have never been locked out. Also, you can do a 30+ character password and two-factor. You don't have to choose.
It isn't used for every login (typically). It's used for the first login from an unrecognized device or to do something drastic like change your email address. The idea being that a password (hash) resides on the server which can be stolen en mass. The two-factor is something the user has that cannot be stolen during a server breach. SMS is especially nice, imo, because you get a text when someone unauthorized attempts to login to one of your accounts with your correct password. A very scary event. An air-gapped dongle can't do that. You would never know that one of your passwords has been somehow stolen.
SN won't survive on lurkers alone. Write comments.
(Score: 1, Informative) by Anonymous Coward on Friday August 19 2016, @11:41PM
OATH (which is different from OAuth) has a few algorithms that they created, TOTP and HOTP are useful for 2FA and ORCA can help prevent certain problems with its challenge-response structure.
SMS is a terrible idea for 2FA according to most experts, even when it was proposed, but caught on anyway as it is a good technique to make users give you their phone numbers. In the world of tracking people, the phone number is the most valuable, especially now with everyone having cell phones.